2. What is ISO 27001 ?
An international standard on how to manage information security. The standard was originally published
jointly by International Organization for Standardization(ISO) and International Electronical Commission(IEC)
in 2005 and then revised in 2013.
It details requirements for establishing, implementing, maintaining and continually improving Information
Security Management System(ISMS) - the aim of which is to help organizations make the information assets
they hold more secure.
ISO 27001: Provides the specifications of an effective ISMS
ISO 27002: Provides the code of conduct- the guidance and best practices
Applicable to all the organizations irrespective of their size, type or nature.
2
3. Three key aspects of information
• Confidentiality : Not available or
disclosed to unauthorized people,
entities or processes.
• Integrity: Information is complete,
accurate and protected from corruption
• Availability: Information is accessible
and usable as and when authorized
users require it
3
4. 114 Controls in 14 groups and 35 control
categories
4
A.5: Information security policies (2 controls)
A.6: Organization of information security (7 controls)
A.7: Human resource security - 6 controls that are applied before, during, or after employment
A.8: Asset management (10 controls)
A.9: Access control (14 controls)
A.10: Cryptography (2 controls)
A.11: Physical and environmental security (15 controls)
A.12: Operations security (14 controls)
A.13: Communications security (7 controls)
A.14: System acquisition, development and maintenance (13 controls)
A.15: Supplier relationships (5 controls)
A.16: Information security incident management (7 controls)
A.17: Information security aspects of business continuity management (4 controls)
A.18: Compliance; with internal requirements, such as policies, and with external requirements, such as laws (8
controls)
5. Implementation of ISO 27001
Define Internal Context:
Key Products and services an organization is providing and how security
requirements should align with the goals and objectives of the business.
Define External Context:
• What kind of legislation applies to the business firm from a security point
of view?
• What sort of threats/risks are faced from the outside ?
• If a firm has an intellectual property, would the competitors be interested
in the intellectual property?
• Data that could have an interest value for Threat actors
5
6. Implementation of ISO 27001
Management approval seeks:
Scope of the Internal and External context clearly defined
Clear understanding of strategies used, and benefits
associated
Risk Assessment:
Define the threats, vulnerabilities and possible data
breaches points, insider fraud risks, competitors and Cyber-
criminal groups
6
7. Implementation of ISO 27001
Statement of Applicability: Document comprising which
of those controls the firm is implementing and the
reason behind it.
• Is there a risk that needs to be managed, in which
case control is selected ?
• Is there a legal requirement to implement the
control? (Data Protection regulations and GDPR)
• Is there a regulatory reason for the control?
• Is there a contractual obligation from customers?
7